One of the reasons companies struggle with maturing their information security and/or data privacy programs is the investment in technology has not been fully realized. This comes up over and over and relates to the implementation and maintenance of technical tools that have been purchased. For a number of reasons, companies find themselves unprotected. The issues need to be addressed, and it doesn’t mean you need to “rip and replace” the tools you have purchased. You simply need to step back and understand the barriers to success.
Shelfware or Partial Implementation
Many organizations that I’ve worked with recently have mentioned they invested in technology when the market (and company profitability) was ripe, but the tools have yet to be implemented. Similarly, they have purchased expensive tools that do “everything,” yet have implemented only a small portion of the functionality. Both scenarios prevent the company from truly recognizing the benefit of the investment.
The reasoning varies from lack of staff, to competing priorities, to change in direction, to just plain not having enough time to dedicate to doing it correctly. How many times have we thought we would come back to “fix” an initial implementation and never actually get around to doing it? Perhaps there was a change in staff and you didn’t even realize you were paying for a tool that is sitting on the shelf?
In this case, the hard decision must be made. Either move forward and implement it correctly, or determine this isn’t something you want to be funding any longer. Make this decision thoughtfully, through a detailed analysis, as the company has already made an investment in it to some degree.
Unmanaged or Poorly-Managed Tools
Another common scenario is when tools are implemented, they are running, but there isn’t anything being done with the output. If there isn’t someone responsible for monitoring the tool availability, the functionality being delivered, the ongoing maintenance/upgrades, the value being provided could be worthless. Again, the reasons for this will vary, but it is also an example of an investment that is not being realized.
Usually, when I see this situation, it is due to lack of people or skillset. It could be as easy as holding someone accountable to do the work, but more likely, it is due to limited resources who are busy with other priorities or are not trained in the technology. This could be an easy fix, i.e., training. As predicted in a Forbes article, 2018 continues to see a shortage of security staff, which makes this issue continue to grow. If it’s resource-related, an alternative is to look at a managed services solution as a viable option.
If you do determine that a managed services solution is an option, I would recommend that you thoroughly vet the provider. Since resource issues are becoming a problem for many organizations, there are quite a few vendors the are popping up and claim to provide services related to MDR and/or SOC (Managed Detection and Response and/or a Security Operations Center).
This example occurs much more often than one would think. Many times, organizations are at the mercy of the Administrator that manages the technology. If they are the only one who knows the tool, they may have thought it was implemented correctly, yet something was missed altogether. I have a few scenarios where this turned out to be the case, and the company had no idea the functionality was not being utilized appropriately.
It’s a bit harder to uncover this type of situation. There are simulation tools that can validate controls, there are also health checks that are typically offered through the vendor. I have seen much better results from the simulation tools that are now becoming necessary in organizations for this reason and also to determine where there may be additional vulnerabilities in a series of technologies. Here is a link to one of our partners that provides simulation tools for this very example (www.safebreach.com).
Ultimately, if the tool is not fully implemented, for whatever reason, your return is not being realized. Prior to making drastic changes, look at some of the more practical solutions to ensure you are able to maximize what you’ve already invested!